How does the "firewall prohibit-ip-spoofing" command actually work?

Product and Software: This article applies to all Aruba controllers and ArubaOS versions.

By default, IP spoofing is enabled via the "firewall prohibit-ip-spoofing" command, which makes the controller deny multiple MAC addresses using same IP address. It means that all traffic from another MAC address with the same IP address that already exists in the user table is denied, and this new user will not be added to the user table. The check is made before adding any IP address to the user table and for each ARP request/response. If any spoofing happens, it will be logged.